Home/ Questions/Q 6884975
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T05:34:35+00:00

I was looking at this: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/kinit.html and noticed that it says I could use

  • 0

I was looking at this: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/kinit.html and noticed that it says I could use the “password flag”. I am not sure how to do this though?

Can I enter the password for kinit without it prompting me?

For example currently:

If I type in:

$ kinit test@REALM

I get response:

test@REALM's password:

and I have to enter the password. Is there anyway I can input something like kinit test@REALM password so it doesn’t prompt me?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Use a keytab for that principal!

    In detail: How do I a service keytab.

    There are multiple ways, but I will assume the following: You are running Active Directory as your KDC implementation, you backend runs on a Unix or Unix-like OS like CentOS, FreeBSD, HP-UX, etc. You have also MIT Kerberos or Heimdal installed and the krb5.conf is properly configured.

    Install msktutil(1) via package/ports manager or compile from source. If you choose to compile, make sure that all dependencies are present on your machine.

    Now run mskutil:

    $ /usr/local/sbin/msktutil update --verbose --use-service-account --account-name <samAccountName> \
  --old-account-password <password> --dont-change-password --keytab <path>

    Replace samAccountName and password with your data. Leave out dont-change-password if you are fine with autogenerated passwords. Adjust path where you want to store the keytab file.

    Sample run:

    $ /usr/local/sbin/msktutil update --verbose --use-service-account --account-name uawet8er \
>   --old-account-password '...' --dont-change-password --keytab uawet8er.keytab
 -- execute: Skipping creation of new password
 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain AD.EXAMPLE.COM for procotol tcp
 -- validate: Found DC: dc01.ad.example.com. Checking availability...
 -- get_dc_host: Found preferred Domain Controller: dc01.ad.example.com
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-y6WVDM
 -- destroy_g_context: Destroying Kerberos Context
 -- initialize_g_context: Creating Kerberos Context
 -- finalize_exec: SAM Account Name is: uawet8er
 -- try_machine_password: Trying to authenticate for uawet8er with password
 -- create_default_machine_password: Default machine password for uawet8er is uawet8er
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Vorauthentifizierung fehlgeschlagen)
 -- try_machine_password: Authentication with password failed
 -- try_machine_supplied_password: Trying to authenticate for uawet8er with supplied password
 -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-ZUutAC
 -- finalize_exec: Authenticated using method 6
 -- LDAPConnection: Connecting to LDAP server: dc01.ad.example.com
SASL/GSSAPI authentication started
SASL username: uawet8er@AD.EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
 -- ldap_get_base_dn: Determining default LDAP base: dc=AD,dc=EXAMPLE,dc=COM
 -- get_default_ou: Determining default OU: CN=Users,DC=ad,DC=example,DC=com
 -- ldap_check_account: Checking that a service account for uawet8er exists
 -- ldap_check_account: Checking service account - found
 -- ldap_check_account: Found userAccountControl = 0x200
 -- ldap_check_account: Found supportedEncryptionTypes = 28
 -- ldap_check_account: Found User Principal: uawet8er
 -- ldap_check_account_strings: Inspecting (and updating) service account attributes
 -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28
 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0
 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x200
 -- ldap_get_kvno: KVNO is 8
 -- remove_keytab_entries: Trying to remove entries for uawet8er from keytab
 -- execute: Updating all entries for service account uawet8er in the keytab WRFILE:uawet8er.keytab
 -- update_keytab: Updating all entries for uawet8er
 -- add_principal_keytab: Adding principal to keytab: uawet8er
 -- get_salt: Using salt of AD.EXAMPLE.COMuawet8er
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: uawet8er
 -- get_salt: Using salt of AD.EXAMPLE.COMuawet8er
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_keytab_entries: Trying to add missing entries for uawet8er to keytab

    Now check your keytab with kinit:

    $ kinit  -k -t uawet8er.keytab uawet8er
$ klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_722
Standard-Principal: uawet8er@AD.EXAMPLE.COM

Valid starting       Expires              Service principal
24.07.2019 13:15:45  24.07.2019 23:15:45  krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
        erneuern bis 25.07.2019 13:15:45

    This keytab is now ready to be used with your login.conf for JGSS or with KRB5_CLIENT_KTNAME and MIT Kerberos.

    • 0